Simply put, a couple of independent non-profit privacy groups in Ireland filed a complaint against Google.

The concerns about Google were centered on the terms of service and personal data used for targeted ads in Google services on Android systems. Android as you know is Google’s mobile operating system.

The French Data Protection Authority (a.k.a CNIL) investigated and ruled on the complaints against Google.

Google was hit with the highest GDPR fine yet, 50 million Euros.

Nearly $57 million.

Regulators noted GDPR violations included the following:

Google was not transparent about the personal data it collected

2. Google was not transparent about processing purpose or purposes

3. Google confused users with vague notices in numerous locations

4. Google lacked retention policies

5. Users consents were neither freely given nor properly obtained

6. Invalid use of default opt-outs

Consent was not specific for each purpose of personal data processing. Plus, Google used a blanket “I agree to the terms…” which meant that users were unknowingly agreeing to all services and processing.

An option to decline the use of Google suit of mobile applications and services were hidden and hard for users to find.

Android users were unable to decline Google services. That is, YouTube, Google Maps, Gmail, Google Search, among others. Rather users were forced into all of Google’s services wether users wanted that or not. Seriously, what choice do you have as a user, or what would you do if you got an alert indicating that not registering your Google account when configuring Android will degrade device functionality? It might get on the user’s nerves initially but they’ll cave-in within minutes.

Do any of these sound like what your organization is doing hoping it won’t get caught?

Why $50 million Euros though – that’s stiff.

True. But that’s based on 1. How long this had been going on and 2. The level of negative impact these activities have on individuals’ privacy rights and freedoms.

Point is, it’s the same thing that privacy experts have been saying to every business or organization. Besides, other tech giants have been dinged by the FTC for similar infractions – though not for nearly as much millions of dollars. You would think Google would have learned.

Get professional help. Don’t put-off privacy implementation. You may have other priorities but compliance should be a critical one.

Non-compliance risks are getting expensive. Imagine what Google could do with extra $57 million in its pocket? Take a risk-based approach to privacy. Look at what you collect, why you collect, and if your notices to consumers are specific enough. Take a step back and think about it – do consumers really understand what you’re asking them to consent to? Are you making consent favorable to your interests than the consumers’? Why do you keep or use personal information for as long as you do, and is that going to be a problem with GDPR, national, or local laws – were you have business activities. How much will it cost you when you’re caught?

Hire a DPO or privacy expert who can maintain accountability for and focus on all of your EU markets. Choose ahead which Data Protection Authority (DPA) will be the lead or police your compliance issues. That DPA will be the main regulator you’ll check-in with, report to, get advice from, etc. Some are more stringent than others but that’s not the basis for choosing a lead DPA.

Be open. Are you transparent with your privacy practices, or do you keep them under wraps. What safeguards have you put in place and are you helping users exercise their rights as needed? Figure out what negative impact or outcomes your personal data processing practices would have on people’s lives and rights. These would be the risks that regulators would look for. If you’re proactive about your organization’s approach to privacy, you can better manage and mitigate these risks better and earlier.

Be proactive. Neglecting to address privacy principles and data protection requirements won’t earn you any discounts on fines. Like Google, you’ll be paying more than full price. GDPR regulators can tell if your business is making reasonable efforts to respect and preserve consumer privacy. Similar to the FTC, they’ve been in the business long enough to spot unfair and deceptive practices (miles away) even if you believe your own lies it won’t get you very far.